Those looking for quick solutions to the nation's deepening cyber skills crisis are unlikely to find them in the new National Cyber Workforce and Education Strategy document that the White House released this week.
But there are plenty of elements in the strategy that, if implemented as intended, could go a long way in addressing the skills scarcity over the long term, while also preparing future workers for cybersecurity careers, industry experts say.
The Biden-Harris administration's 60-page cyber workforce and education strategy further fleshes out the National Cybersecurity Strategy that the White House announced in May. It spells out an approach to workforce development and cyber education based on greater collaboration among public and private sector entities. The document also proposes ways to foster basic digital literacy and foundational cyber skills and ensure easy access to materials for honing on that knowledge on an ongoing basis.
"As with the National Cybersecurity Strategy, the National Cyber Workforce and Education Strategy seems more aspirational than practical," says Karen Walsh, cybersecurity compliance expert at Allegro Solutions. "At the core, it requires a huge investment at the K-12 level, which already suffers from lack of traditional teachers, let alone those who can interpret complex cybersecurity skills to youth."
The new strategy document, among other things, calls on federal agencies and departments to work with industry and academia in making more training materials available for upskilling and reskilling workers for careers in cybersecurity. It advocates increased use of skills-based hiring practices rather than purely academic credentials-based hiring.
It envisions a significant role for community colleges as a robust source for everything from entry-level workers to those familiar with industry- and occupation-specific technologies and requirements. The strategy encourages industry to create more "on-ramps to cyber careers through work-based learning opportunities," and to provide entry-level opportunities in cyber that offer opportunities for career advancement.
One important element of the workforce development strategy is its provision for increased diversity and inclusion in hiring practices within industry and the public sector. "To reach underrepresented and underserved communities, employers are encouraged to partner with organizations focused on enhancing the talent pipeline in these communities," the strategy document said.
Candy Alexander, president of the Information Systems Security Association (ISSA), says the new strategy is very high-level and visionary. It also refers to a lot of initiatives that are already in place, such as diversity hiring and encouraging individuals to join the federal cyber workforce.
But three things in particular stand out in the strategy, she adds: the emphasis on educating the general public, the incorporation of cybersecurity into the K-12 curriculum, and the call for a true public/private partnership with educators, industry, and government. "The ISSA has worked toward this effort for over 15 years, and the success of the newly announced strategy can only come from the unification of these entities," Alexander says.
On the education front, the strategy proposal includes approaches for bolstering cyber education from K-12 on through college and advanced degree programs. It encourages employers, industry groups, chambers of commerce, and others to actively participate in the creation and delivery of cyber education and training programs. "Education and training ecosystems should expand the availability of competency-based cyber education opportunities that accelerate knowledge acquisition and allow learners to demonstrate mastery at their own pace," the strategy document noted.
Leveraging community colleges offers a huge opportunity for both the cybersecurity industry and students seeking non-traditional advanced education, Walsh says. "Community colleges often provide a financially achievable education, and too often, society overlooks their value," Walsh notes.
For community colleges to become a valuable resource, cybersecurity professionals need to recognize the value that they can provide. "Rather than focusing on expensive certifications that often focus on theory, the industry should be looking for practical skills based on hands-on experience," Walsh says. "The use of community colleges to decrease the talent gap is one way to do that, but it will only work if the industry is open to it."
Clar Rosso, CEO of (ISC)2, calls the creation of the National Cyber Workforce and Education Strategy in itself a significant step forward. She says, "The strategy acknowledges both the cyber workforce shortfall, which our research puts at more than 410,000 cybersecurity professionals in the United States, and the significant risk that this presents for national, economic and societal security."
Components of the strategy that she considers most significant include its emphasis on greater federal collaboration, expanding the use of shared hiring practices, making more talent management tools easily available, increasing the availability of scholarship programs and removing roadblocks to entry — such as requiring security clearances for certain jobs — where possible.